Following a massive data breach in 2015, OPM instituted a comprehensive overhaul of its IT and security practices. However, in the years since, it became increasingly clear that without modernizing its underlying IT infrastructure, many of the remedies OPM put in place were becoming outmoded in the face of ever more sophisticated cyberattacks.

That was especially apparent to Guy Cavallo, who arrived at OPM in the fall of 2020 as principal deputy CIO after leading sweeping IT modernization initiatives at the Small Business Administration (SBA) and before that at the Transportation Security Administration (TSA). He was named OPM’s CIO in July 2021.

Recognizing new cyber challenges

“We looked at the on-premises cyber tools that OPM was running since the breach and saw while they were effective, with today’s advancements in AI and cyber capabilities, they weren’t keeping up with the attack vectors we’re facing today,” said Cavallo in a recent interview. Threat actors had shifted to identity-based attacks using more sophisticated tactics, requiring advanced detection and response solutions.

“We knew with AI coming and the Executive Order on Cybersecurity requiring logging to get visibility into your environment, investing in on-premises hardware would be a never-ending battle of running out of storage space,” he concluded.

The cloud was “the ideal elastic storage case for that,” he continued. But it also offered other critical solutions. The cloud was the ideal way to host applications to ensure “that we’re always up to date on patching and versions, leaving that to the cloud vendors to take care of — something that the federal government struggles with,” he said.

Checklist for a better solution

Cavallo wanted to avoid the mistake he had seen other organizations make, trying to weave all kinds of tools into an enterprise security blanket. “It’s incredibly difficult to integrate them and not have them attack each other — or also not have gaps between them,” he said. “I’m a believer that simpler is much better than tying together best-of-breed from multiple vendors.”

That drove Cavallo and OPM Chief Information Security Officer James Saunders to pursue a fundamental shift to a cloud-native cybersecurity platform and “making that the heart of our security apparatus,” said Saunders.  

After reviewing the options, they elected to move to Microsoft’s Azure cloud-based cybersecurity stack “so that we can take advantage of the edge of cloud, and cloud in general, to collect data logs.” Additionally, it would mean “We didn’t have to worry about software patching and ‘Do I have enough disk space?’ It also allows us to springboard into more advanced capabilities such as artificial intelligence,” Saunders said.

Because OPM exchanges data with many federal agencies that rely on different data systems, Cavallo and Saunders also implemented a cloud access security broker (CASB) — a security policy enforcement engine that monitors and manages security activity across multiple domains from a single location. It also “enables our security analysts to be more efficient and identify threats in a more holistic manner,” Saunders explained.

Added benefits

“There is a general misconception that you can only use cloud tools from the host vendor to monitor and protect that environment.  We found that leveraging cyber defenses that span multiple clouds is a better solution for us instead of having multiple different tools performing the same function,” Cavallo added.

Microsoft’s extensive threat intelligence ecosystem and the ability to reduce the number of contracts OPM has to maintain were also critical factors in their decision to move to Azure, Saunders added.

The pay-off

The migration from on-premises infrastructure to the cloud was a complex process involving the retirement of more than 50 servers and the decommissioning of multiple storage areas and SQL databases, according to Saunders. The most challenging aspect, though, was not the technology but managing the transition with the workforce. Extensive training and organizational change management were as critical as the technical migration to the success of the transition.

According to Saunders, the benefits didn’t take long to recognize:

• Enhanced visibility: OPM now has a more comprehensive view of its security posture, thanks to the centralized platform and increased log collection.
• Improved threat detection and response: AI-powered tools and Microsoft’s threat intelligence helps OPM identify and respond to threats faster and more effectively.
• Reduced costs and complexity: Cloud-native solutions eliminate the need for buying expensive on-premises hardware and software, while also simplifying management and maintenance.
• Increased scalability and agility: The cloud platform allows OPM to easily scale its security infrastructure as needed to meet evolving threats and business requirements.

Collectively, those and related cloud benefits are also helping OPM make faster headway in meeting the administration’s zero-trust security goals.

Lessons learned

Perhaps one of the most important benefits is being able to demonstrate the magnitude and nature of today’s threat landscape to the agency’s leadership and how OPM is much better prepared to defend against it, according to Cavallo.

“When James and I showed them the visibility that we have from all those logs, it was a drop-the-mic moment for them. We can say we blocked 4,000 attacks in the last hour, but until you actually show them a world map and our adversaries trying to get into OPM, then be able to click and show the real details of it — those threats get lost in the noise,” he said.

“My recommendation at the CIO level is, this is a better mousetrap. But you can’t just expect people to flock to it. You have to go show them why it’s a better mousetrap.”

Among the other lessons Cavallo recommends to fellow IT leaders:

• Focus on simplicity: Choose a single, integrated security platform to avoid the complexity of managing multiple tools.
• Invest in training: Ensure your staff is trained and familiar with new cloud-native security tools and processes.
• Start small and scale gradually: Begin with a pilot project and gradually migrate your security infrastructure to the cloud.
• Communicate effectively: Clearly explain the benefits of cloud-native security to your stakeholders and address any concerns.

This report was produced by Scoop News Group for FedScoop as part of a series on technology innovation in government, underwritten by Microsoft Federal.

The post How cloud modernization transformed OPM cybersecurity operations appeared first on FedScoop.

Both programs were developed by and managed through the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security to monitor traffic on federal networks and secure them from external threats.

The synergies are particularly important as more and more agencies connect externally to cloud services — something that the TIC 3.0 policy champions.

“In regard to cloud security, we’re making sure agencies … get the right visibility of their data in the cloud to ensure that it’s protected and make sure they have proper understanding of who’s accessing it,” Kevin Cox, CDM program manager, said during a recent SNG Live session on TIC 3.0. “So we’re working closely with the TIC team, as well as with the agencies to get those right solutions in place.”

James Saunders, CISO of the Small Business Administration, likens TIC and CDM to the peanut butter and jelly of federal cybersecurity.

“Yes, you can eat a peanut butter sandwich by itself or you can eat a jelly sandwich by itself. But together, you get that good old PB&J, right?  So from our perspective, the synergies between the two different programs are immense,” Saunders said.

“TIC to me, it’s that protection piece — making sure your protections are in place so that can counter the adversary — where CDM accounts for that as well as accounts for the ability for you to see what’s happening, and most importantly, share what’s happening with DHS. Because their mission is to see what’s happening across the entirety of the federal enterprise versus just a particular agency.”

Saunders said because TIC and CDM requirements are meant to be so similar, the SBA lumps them together in some regard so that “when we’re selecting tools, building processes, and looking at staff, we’re able to, in short, make sure we’re selecting the right people, processes, procedures to meet those requirements.”

One takeaway from all of this is the increasing ability to use commercial off-the-shelf technology in the government space, said Fortinet CISO Jim Richberg, who devoted much of his career to leading cybersecurity intelligence work in the federal government.

“We’re not saying we’re trying to build typically unique products or capabilities — we’re defining the use cases. TIC does a great job on that,” said Richberg. Then the issue becomes, “What does that imply in terms of network topologies and architectures that you can then deploy things that will give you the high speed diagnostics and the high speed ability from controls to mitigate adverse consequences,” he said.

“So in one sense, it’s a matter of saying, ‘This is the government defining the use cases for which you’re going to apply commercial products to meet CDM-required levels of performance.’”

During the discussion on TIC and CDM, the cybersecurity experts explore more synergies between the two programs. Make sure to see the full video below.

View the full video panel discussion from SNG Live’s virtual event on TIC 3.0.

This article was produced by FedScoop and underwritten by Fortinet.

The post ‘Immense’ synergies to be gained between TIC 3.0 and CDM appeared first on FedScoop.